A Guide to Employing Mobile Security

It’s a Party: BYOD!

Smartphones, tablets and other mobile devices have become indispensable in our daily lives. Securely integrating these devices into an organization’s IT processes and infrastructure is a complex challenge for companies of all sizes.

Some react to this challenge by telling users that they cannot bring your own devices (BYOD) into the corporate data environment, but this approach ignores a reality wherein users demand the convenience that mobile devices so nicely afford. Other companies embrace BYOD with open arms, but without the necessary security policies and procedures to prevent data leakage or loss. The best practice for mobile security is firmly seated somewhere between these two extremes.

When implemented with proper consideration for all of the variables that mobile devices bring with them, proper management tools and a comprehensive mobile security policy combined with the concepts of BYOD and cloud computing can produce a huge win-win for companies and employees.

How many of us still carry a smartphone for personal use AND a Blackberry for business use? In the past, corporate justification for this redundancy was that Blackberries were designed from the ground up with enterprise-level security features while smartphones – that is, iPhones, Android phone and tablets, and other mobile devices -- were not. Companies also balked because smartphones were too expensive for them to underwrite their acquisition and implementation costs. State-of-the-art technology is solving the issue of mobile device security while an emerging BYOD trend is addressing the issue of acquisition costs.

But there are still other critical considerations when formulating a comprehensive mobile device security strategy:

What corporate data will mobile devices access? Typically, corporate applications and data available to mobile device users will be a subset of corporate data available to users sitting inside the boundary firewall.

Where will that data reside? Most InfoSec experts agree that private cloud computing, meaning a cloud environment controlled and secured by the corporation, must be an integral part of any secure mobile device strategy.

How will companies encrypt data for mobile device access? Any effective mobile device security strategy must provide encryption for data at-rest, in-motion and in-use. End-to-end data encryption capabilities are a nice advantage for a private cloud model for mobile devices.

How will mobile devices be deployed? Whether company-provided or BYOD, all mobile devices must go through a standard deployment process that can be measured and monitored to ensure conformity with corporate policies and procedures.

How will mobile devices be managed? Mobile device management (MDM) tools are now available to plug all security, monitoring and management gaps found in today’s mobile devices.

How will mobile device authentication and access control be addressed? Accessing corporate applications and data from a mobile device is just like other secure remote access needs.

How will mobile devices be protected from malware? All of the big-name anti-virus vendors have released or will soon release versions of their malware protection software for mobile devices. Be warned: there are additional steps to take, to ensure malware doesn’t put your company or its data at risk.

How will companies manage risks inherent in wireless networks? Use of virtual private network (VPN) tunneling, requiring encryption at the wireless router level and the use of media access control (MAC) filtering when practical are valid and prudent approaches to securing wireless networks.

Ed Tittel is a 30-year-plus veteran of the computing industry, who’s worked as a programmer, a technical manager, a classroom instructor, a network consultant and a technical evangelist for companies that include Burroughs, Schlumberger, Novell, IBM/Tivoli and NetQoS. He has written and blogged for numerous publications, including Tom's Hardware, and is the author of over 140 computing books with a special emphasis on information security, Web markup languages and development tools, and Windows operating systems.